Enricher - PassiveTotal Malware#
Note
RiskIQ has been acquired by Microsoft.
At the time of writing, features from this enricher are not available on the Microsoft Defender Threat Intelligence API.
Note
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
Specifications |
|
---|---|
Enricher name |
PassiveTotal Malware |
Input |
Domain and host. |
Output |
Polls data from the PassiveTotal API. It returns malware information related to the queried host or domain, such as malware hashes (hash-md5, hash-sha1, hash-sha256, and hash-sha512) and collection date. |
API endpoint |
|
Description |
The PassiveTotal Malware enricher provides malware information related to the queried host or domain, such as malware hash and collection date. |
Requirements#
Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials to access the API endpoint exposing the service.
Configure the enricher parameters#
Edit the enricher.
From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the PassiveTotal Malware enricher.
The API URL field is automatically filled in with the default domain for the endpoint.
You can add a proxy or set up ports according to your needs.
Default value:https://api.passivetotal.org/v2
.In the API key field, enter your API key.
In the Email field, enter the email address associated with the PassiveTotal Malware account to access and consume the PassiveTotal Malware API service.
To store your changes, click Save; to discard them, click Cancel.
Additional information#
The returned malware entries are also tagged with the following metadata:
enrichment_extracts.meta.classification: bad.
To set this value, go to the top navigation bar, click Data configuration > Rules > Observable > > Action > Mark as malicious.
enrichment_extracts.meta.confidence: low
.
To set this value, go to the top navigation bar, click Data configuration > Rules > Observable > > Confidence > Malicious — Low confidence/Malicious — Medium confidence/Malicious — High confidence.